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Foreword 



id , 



This Technical Specification has been produced by the 3 Generation Partnership Project (3GPP). 

The contents of the present document are subject to continuing work within the TSG and may change following formal 
TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an 
identifying change of release date and an increase in version number as follows: 

Version x.y.z 

where: 

x the first digit: 

1 presented to TSG for information; 

2 presented to TSG for approval; 

3 or greater indicates TSG approved document under change control. 

y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, 
updates, etc. 

z the third digit is incremented when editorial only changes have been incorporated in the document. 



Introduction 

The absence of security in Signalling System No. 7 (SS7) networks is an identified security weakness in 2G systems. 
This was formerly perceived not to be a problem, since the SS7 networks were the provinces of a small number of large 
institutions. This is no longer the case, and so there is now a need for security precautions. 

For 3G systems it is a clear goal to be able to protect the core network signalling protocols, and by implication this 
means that security solutions must be found for both SS7 and IP based protocols. 

Various protocols and interfaces are used for control plane signalling within and between core networks. The security 
services that have been identified as necessary are confidentiality, integrity, authentication and anti-replay protection. 
These will be ensured by standard procedures, based on cryptographic techniques. 
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Scope 



This technical specification covers the security mechanisms and procedures necessary to protect the MAP protocol. The 
complete set of enhancements and extensions to facilitate security protection for the MAP protocol is termed MAPsec 
and it covers transport security in the MAP protocol itself and the security management procedures. 

The security mechanisms specified for MAP are on the application layer. This means that MAPsec is independent of the 
network and transport protocols to be used. 

This technical specification contains the stage-2 specification for security protection of the MAP protocol. The actual 
implementation (stage-3) specification can be found in the MAP stage-3 specification, TS 29.002 [4]. 

This specification applies to MAP version 3, TS 29.002 [4] Rel-4 and higher. 

NOTE: It is explicitly noted that automated key management and key distribution is not part of Rel-4. All key 
management and key distribution in Rel-4 must therefore be carried out by other means. (See Annex A) 



2 References 

The following documents contain provisions which, through reference in this text, constitute provisions of the present 
document. 

• References are either specific (identified by date of publication, edition number, version number, etc.) or 
non-specific. 

• For a specific reference, subsequent revisions do not apply. 

• For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including 
a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same 
Release as the present document. 

[1] 3G TS 21.133: Security Threats and Requirements. 

[2] 3G TS 21.905: 3G Vocabulary. 

[3] 3G TS 23.060: General Packet Radio Service (GPRS); Service description; Stage 2. 

[4] 3G TS 29.002: Mobile Application Part (MAP) specification. 

[5] ISO/IEC 10116: "Information technology — Security techniques — Modes of operation for an n-bit 

block cipher", Ed.2, 1997-04-17. 

[6] ISO/IEC 9797: "Information technology — Security techniques — Message Authentication Codes 

(MACs) - Part 1: Mechanisms using a block cipher", Ed.l, 1999-12-16. 

3 Definitions, symbols and abbreviations 
3.1 Definitions 

For the purposes of the present document, the following terms and definitions apply. 

Anti-replay protection: Anti -replay protection is a special case of integrity protection. Its main service is to protect 
against replay of self-contained packets that already have a cryptographical integrity mechanism in place. 

Confidentiality: The property that information is not made available or disclosed to unauthorised individuals, entities 
or processes. 

Data integrity: The property that data has not been altered in an unauthorised manner. 
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Data origin authentication: The corroboration that the source of data received is as claimed. 

Entity authentication: The provision of assurance of the claimed identity of an entity. 

Key freshness: A key is fresh if it can be guaranteed to be new, as opposed to an old key being reused through actions 
of either an adversary or authorised party. 

Security Association: A logical connection created for security purposes. All traffic traversing a security association is 
provided the same security protection. The security association specifies protection levels, algorithms to be used, 
lifetime of the connection etc. 

MAPsec: The complete collection of protocols and procedures needed to protect MAP messages. MAPsec can be 
divided into three main parts. These are (1) MAPsec transport security, (2) MAPsec Local Security Association 
distribution and (3) MAPsec Inter-domain Security Association and Key Management procedures. 

3.2 Symbols 

For the purposes of the present document, the following symbols apply: 

f6 MAP encryption algorithm 

n MAP integrity algorithm 

Zf The MAP application layer security interface between MAP-NEs engaged in security protected 

signalling. 

3.3 Abbreviations 

For the purposes of the present document, the following abbreviations apply: 

AES Advanced Encryption Standard 

FALLBACK Fallback to unprotected mode indicator 

IP Internet Protocol 

IV Initialisation Vector 

MEK MAP Encryption Key 

MAC Message Authentication Code 

MAC-M MAC used for MAP 

MAP Mobile Application Part 

MAP-NE MAP Network Element 

MAPsec MAP security - the MAP security protocol suite 

MEA MAP Encryption Algorithm identifier 

MIA MAP Integrity Algorithm identifier 

MIK MAP Integrity Key 

NDS Network Domain Security 

NE Network Entity 

PPI Protection Profile Indicator 

PROP Proprietary field 

SA Security Association 

SADB Security Association DataBase 

SPD Security Policy Database (sometimes also referred to as SPDB) 

SPI Security Parameters Index 

TVP Time Variant Parameter 

3.4 Conventions 

All data variables in this specification are presented with the most significant substring on the left hand side and the 
least significant substring on the right hand side. A substring may be a bit, byte or other arbitrary length bitstring. 
Where a variable is broken down into a number of substrings, the leftmost (most significant) substring is numbered 0, 
the next most significant is numbered 1, and so on through to the least significant. 
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4 Principles of MAP application layer security 

This technical specification defines mechanisms for protecting the MAP protocol at the application layer. The MAP 
protocol may also be protected at the network layer when IP is used as the transport protocol. However, whenever inter- 
working with networks using SS7-based transport is necessary, protection at the application layer shall be used. 

Before protection can be applied, Security Associations (SA) needs to be established between the respective MAP 
network elements. Security associations define, among other things, which keys, algorithms, and protection profiles to 
use to protect MAP signalling. The necessary MAP-SAs between networks are negotiated between the respective 
network operators. The negotiated SA will be effective PLMN-wide and distributed to all network elements which 
implement MAP application layer security within the PLMN. Signalling traffic protected at the application layer will, 
for routing purposes, be indistinguishable from unprotected traffic to all parties except for the sending and receiving 
entities. 

Protection at the application layer implies changes to the application protocol itself to allow for the necessary security 
functionality to be added. 

The MAP application layer security interface between MAP-NEs engaged in security protected signalling is referred to 
in this specification as the Zf interface. The interface applies to all MAPsec transactions, intra- or inter-PLMN. 



5 MAP security (MAPsec) 

5.1 Security services provided by MAPsec 

The security services provided by MAPsec are: 
data integrity; 
data origin authentication; 
anti-replay protection; 
confidentiality (optional). 

5.2 Properties and tasks of MAPsec enabled network elements 

MAPsec MAP-NEs shall maintain the following databases: 

NE-SPD-MAP: A database in an NE containing MAP security policy information (see clause 5.3); 

- NE-SADB-MAP: A database in an NE containing MAP-SA information. MAP-NEs shall monitor the SA 
lifetime and expired SAs shall be deleted from the database (see clause 5.4). 

MAPsec MAP-NEs shall be able to perform the following operations: 

Secure MAP signalling (i.e. send/receive protected or unprotected messages) according to information in NE- 
SPD-MAP and NE-SADB-MAP. The structure of protected messages is defined in clause 5.5 and the protection 
algorithms are defined in clause 5.6. 

Editor's note: Message flows to illustrate the in/out processing sequences are under development. 
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5.3 Policy requirements for the MAPsec SPD 

The security policies for MAPsec key management are specified in the NE's SPD. SPD entries define which MAP SAs 
(if any) to use to protect MAP signalling based on the PLMN of the peer NE. There can be no local security policy 
definitions for individual NEs. Instead, SPD entries of different NE within the same PLMN shall be identical. 

Editor's note: Some issues need to be investigated: Include and clarify fallback indicator; Policy for SA renewal, 
the need for START time, mechanism to distinguish inbound/outbound SPDs ? Implications of 
Protection Mode differing between operators for the same type of operation (Danger of active 
attacker changing the source PLMN ID). 

5.4 MAPsec security association attribute definition 

The MAPsec security association is a sequence of the following data elements: 
MAPsec security association = MEA II MEK II MIA II MIK II PPI II Fallback II SA lifetime 

- MAP Encryption Algorithm identifier (ME A): 

Identifies the encryption algorithm. Mode of operation of algorithm is implicitly defined by the algorithm 
identifier. Mapping of algorithm identifiers is defined in clause 5.6. 

- MAP Encryption Key (MEK): 

Contains the encryption key. Length is defined according to the algorithm identifier. 

- MAP Integrity Algorithm identifier (MIA): 

Identifies the integrity algorithm. Mode of operation of algorithm is implicitly defined by the algorithm 
identifier. Mapping of algorithm identifiers is defined in section 5.6. 

- MAP Integrity Key (MIK): 

Contains the integrity key. Length is defined according to the algorithm identifier. 

- Protection Profile Identifier (PPI): 

Identifies the protection profile. Length is 16 bits. Mapping of profile identifiers is defined in section 6. 

- Fallback to Unprotected Mode Indicator (FALLBACK): 

In the case that protection is available, this parameter indicates whether fallback to unprotected mode is allowed. 
This is a one bit indicator where the value one indicates that fall back to unprotected mode is permitted and value 
zero indicates that fallback to unprotected mode is not permitted. 

Editor's note: The fallback indicator may be moved to the SPD. 

- SA Lifetime: 

Defines the actual expiry time of the SA. The expiry of the lifetime shall be given in UTC time. 
Editor's Note: The exact format and length to be defined. 

If the SA is to indicate that MAPsec is not to be applied then all the algorithm attributes shall contain a NULL value. 

5.5 MAPsec structure of protected messages 

MAPsec provides for three different protection modes and these are defined as follows: 
Protection Mode 0: No Protection 
Protection Mode 1 : Integrity, Authenticity 



ETSI 



3GPP TS 33.200 version 4.0.0 Release 4 9 ETSI TS 1 33 200 V4.0.0 (2001 -06) 

Protection Mode 2: Confidentiality, Integrity, and Authenticity 

MAP operations protected by means of MAPsec consist of a Security Header and the Protected Payload. Secured MAP 
messages have the following structure: 

| Security Header | Protected Payload j 

In all three protection modes, the security header is transmitted in cleartext. 

In protection mode 2 providing confidentiality, the protected payload is essentially the encrypted payload of the original 
MAP message. For integrity and authenticity in protection modes 1 and 2, the message authentication code is calculated 
on the security header and the payload of the original MAP message in cleartext and it is included in the protected 
payload. In protection mode no protection is offered, therefore the protected payload is identical to the payload of the 
original MAP message. 

5.5.1 MAPsec security header 

The security header is a sequence of the following data elements: 

Security header = TVP 1 1 NE-Id 1 1 Prop 1 1 Sending PLMN-Id 1 1 SPI 1 1 Original component Id 

- TVP: 

The TVP is used for replay protection of Secured MAP operations is a 32 bit time-stamp. The receiving network 
entity will accept an operation only if the time-stamp is within a certain time-window. The resolution of the 
clock from which the time-stamp is derived is 0.1 seconds. The size of the time-window at the receiving network 
entity is not standardised. 

- NE-Id: 



6 octets used to create different IV values for different NEs within the same TVP period. It is necessary and 
sufficient that NE-Id is unique per PLMN. (This is sufficient because sending keys are unique per PLMN.) The 
NE-Id shall be the E. 164 global title of the NE without the MCC and MNC. 

Proprietary field (PROP): 

4 octets used to create different IV values for different protected MAP messages within the same TVP period for 
one NE. The usage of the proprietary field is not standardised. 

Sending PLMN-Id: 

PLMN-Id is the ID number of the sending Public Land Mobile Network (PLMN). The value for the PLMN-Id is 
a concatenation of the Mobile Country Code (MCC) and Mobile Network Code (MNC) of the sending network. 

Security Parameters Index (SPI): 

SPI is an arbitrary 32-bit value that is used in combination with the sender's PLMN-Id to uniquely identify a 
MAP-SA. 

Original Component identifier: 

Identifies the type of component (invoke, result or error) within the MAP operation that is being securely 
transported (Operation identified by operation code, Error defined by Error Code or User Information). 
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5.5.2 Protected payload 

5.5.2.1 Protection Mode 

Protection Mode offers no protection at all. Therefore, the protected payload of Secured MAP messages in protection 
mode is identical to the original MAP message payload in cleartext. 

For cases where Protection Mode is to be used the protection level will be identical to the original unprotected MAP 
message. It is therefore allowed as an implementation option to let Protection Mode operations be sent without the 
security header. 

5.5.2.2 Protection Mode 1 

The protected payload of Secured MAP messages in protection mode 1 takes the following form: 

CleartextH f7(Security Header||Cleartext) 

where "Cleartext" is the payload of the original MAP message in cleartext. Therefore, in Protection Mode 1 the 
protected payload is a concatenation of the following information elements: 

Cleartext 

Message authentication code (MAC-M) calculated by the function f7 

Authentication of origin and message integrity are achieved by applying the message authentication code (MAC-M) 
function f7 with the integrity key defined by the security association to the concatenation of Security Header and 
Cleartext. The MAC-M length shall be 32 bits. 

5.5.2.3 Protection Mode 2 

The protected payload of Secured MAP Messages in protection mode 2 takes the following form: 

f6( Cleartext) || f7(Security Header|| f6( Cleartext)) 

where "Cleartext" is the original MAP message payload in cleartext. Confidentiality is achieved by encrypting Cleartext 
using the encryption function f6 with the confidentiality key defined by the security association and the initialisation 
vector (IV). Authentication of origin and integrity are achieved by applying the message authentication code (MAC-M) 
function f7 with the integrity key defined by the security association to the concatenation of Security Header and 
ciphertext. The MAC-M length shall be 32 bits. The length of the ciphertext is the same as the length of the cleartext. 

5.6 MAPsec algorithms 

5.6.1 Mapping of MAP-SA encryption algorithm identifiers 

The MEA algorithm indication fields in the MAP-SA are used to identify the encryption algorithm and algorithm mode 
to be used. The mapping of algorithm identifiers is defined below. 

Table 1 : MAP encryption algorithm identifiers 



MAP Encryption Algorithm 
identifier 


Description 





Null 


1 


AES in a stream cipher mode (MANDATORY) 




-not yet assigned- 


15 


-not yet assigned- 



ETSI 



3GPP TS 33.200 version 4.0.0 Release 4 1 1 ETSI TS 1 33 200 V4.0.0 (2001 -06) 

5.6.1 .1 Description of MEA-1 

The MEA-1 algorithm is the ISO/IEC 101 16 Counter Mode with parameter j= 128 bits, SV=IV and truncation of the last 
block is according to the method described in ISO/IEC 101 16 Annex A.5.3. See ISO/IEC 101 16 [5] for more 
information. 

Editor's Note: More specification on the mode of operation for MEA-1 may be required. 

5.6.2 Mapping of MAP-SA encryption algorithm identifiers 

The MIA algorithm indication fields in the MAP-SA are used to identify the integrity algorithm and algorithm mode to 
be used. The mapping of algorithm identifiers is defined below. 

Table 2: MAP integrity algorithm identifiers 



MAP Integrity Algorithm 
identifier 


Description 





Null 


1 


AES in a CBC MAC mode (MANDATORY) 




-not yet assigned- 


15 


-not yet assigned- 



5.6.1 .1 Description of MIA-1 

The MIA-1 algorithm is the ISO/IEC 9797 Part 1: padding method 2, MAC algorithm 1 (initial transformation^, 
output transformation^). No IV used. See ISO/IEC 9797 [6] for more information. 

Editor's Note: More specification on the mode of operation for MIA-1 may be required. 

5.6.3 Construction of IV 

The IV used in the encryption shall be constructed as follows: 

IV = TVP II NE-Id II Prop II Pad 
The padding field is used to expand TVP II NE-Id II Prop to the IV length required by the cryptographic scheme in use. 
The IV length shall be 16 octets. The padding (Pad) shall be 2 octets with all bits set to zero. 



6 MAPsec protection profiles 

6.1 Granularity of protection 

MAPsec protection is specified per MAP operation component. 

6.2 MAPsec protection groups 

This section specifies groups of messages and their protection modes at the operation component level. Individual 
protection groups or particular combinations of groups can then be used to construct protection profiles as specified in 
section 6.3. 

Combinations of overlapping protection groups are forbidden. Forbidden combinations are explicitly specified in 6.2.1 
below. 

The concept of "protection levels" is introduced to administrate the protection mode on operation component level. A 
protection level of an operation determines the protection modes used for the operation's components according to the 
following table. 
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Table 3: MAPsec protection levels 



Protection 
level 


Protection mode for 
invoke component 


Protection mode for 
result component 


Protection mode for 
error component 


1 


1 








2 


1 


1 





3 


1 


2 





4 


2 


1 





5 


2 


2 





6 


2 









6.2.1 MAPsec protection groups 



6.2.1.1 



MAP-PG(O) - No Protection 



This MAP-PP does not contain any operation and it does not protect any information. It is useful however to have a 
"null" MAP-PP to use in situations where no security is required or is an option. This protection group cannot be 
combined with any other protection group. 

6.2.1 .2 MAP-PG(1 ) - Protection for Reset 

Table 4: PG(1) - Protection for Reset 



Application Context/Operation 


Protection Level 


ResetContext-v2/ 
Reset 


1 


ResetContext-v1/ 
Reset 


1 



6.2.1 .3 MAP-PG(2) - Protection for Authentication Information except Handover 

Situations 

Table 5: PG(2) - Protection for Authentication Information except Handover Situations 



Application Context/Operation 


Protection Level 


lnfoRetrievalContext-v3/ Send 
Authentication Info 


3 


lnfoRetrievalContext-v2/ Send 
Authentication Info 


3 


InfoRetrievalContext-vl/ Send 
Parameters 


3 


lnterVlrlnfoRetrievalContext-v3/ 
Send Identification 


3 


lnterVlrlnfoRetrievalContext-v2/ 
Send Identification 


3 
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6.2.1.4 



MAP-PG(3) - Protection for Authentication Information in Handover 
Situations 

Table 6: PG(3) - Protection for Authentication Information in Handover Situations 



6.2.1.5 



Application Context/Operation 


Protection Level 
(Component level) 


HandoverControlContext-v3/ 
Prepare Handover 
(Note that the AC contains also 
other operations) 


4 


HandoverControlContext-v3/ 
Forward Access Signalling 
(Note that the AC contains also 
other operations) 


4 


HandoverControlContext-v2/ 
Prepare Handover 
(Note that the AC contains also 
other operations) 


4 


HandoverControlContext-v2/ 
Forward Access Signalling 
(Note that the AC contains also 
other operations) 


4 


HandoverControlContext-v1/ 
Perform Handover 
(Note that the AC contains also 
other operations) 


4 


HandoverControlContext-v1 / 
Forward Access Signalling 
(Note that the AC contains also 
other operations) 


4 



MAP-PG(4) - Protection of non location dependant HLR data 
Table 7: PG(4) - Protection of non location dependant HLR data 



Application Context/Operation 


Protection Level 


AnyTimlnfoHandlingContext-v3 / 
AnyTimeModification 


1 


SubscriberDataMngtContext-v3 / 
DeleteSubsciberData 


1 



Editor's Note: Protection Group 4 is not complete. 



6.3 MAPsec protection profiles 



Protection profiles can be individual protection groups or particular combinations of protection groups. MAP protection 
profiles are coded as a 16 bit binary number where each bit corresponds to a protection group. Currently only 5 groups 
are defined, the rest are reserved for future use. 

Table 8: Protection profile encoding 



Protection 


profile bit 


Protection group 







No protection 


1 


Reset 


2 


Authentication information except handover situations 


3 


Authentication information in handover situations 


4 


Non-location dependant HLR data 


5-15 


Reserved 
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The following protection profiles are defined. 



Table 9: Protection profile definition 



Protection 

profile 

name 


Protection group 


PG(0) 

No 

protection 


PQ(1) 
Reset 


PG(2) 

Authlnfo 

except 

handover 

situations 


PG(3) 
Authlnfo in 
handover 
situation 


PQ(4) 

Non-location 
dependant 
HLR data 


Profile A 


•/ 










Profile B 




•/ 


•/ 






Profile C 




S 


S 


•/ 




Profile D 




•/ 


•/ 


•/ 


•/ 


Profile E 




S 


S 




S 
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Annex A (informative): 

Guidelines for manual key management 

A.1 Inter-domain Security Association and Key 
Management Procedures 

Manual Inter-domain Security Association and Key Management procedures is subject to roaming agreements. 
Some important parts of an inter-domain Security Association and Key Management agreement is: 

to defined how to carry out the initial exchange of MAPsec S As 

to defined how to renew the MAPsec SAs 

to define how to withdraw MAPsec SAs (including requirements on how fast to execute the withdrawal) 

to decide if fallback to unprotected mode is to be allowed 

to decide on key lengths, algorithms, protection profiles, and SA lifetime etc (MAPsec SAs are expected to be 
fairly long lived) 

A.2 Local Security Association Distribution 

Manual Local Security Association Distribution is executed entirely within one PLMN and is consequently at the 
discretion of the administrative authority. 

The requirement on the manual distribution procedures can be summarized as follows: 

Fallback to unprotected mode. MAPsec may be required or it may be optional towards other MAP-NEs. 
Procedures to set this information in the MAP-NEs on a per PLMN destination basis must be provided. This 
information should available to the MAP-NE before any communication towards other MAP-NEs is to take 
place. MAP-NEs capable of executing MAPsec should define a default value for the MAPsec fallback to 
unprotected mode indicator. 

- Procedures for transporting the relevant MAPsec SA to the MAP-NEs must be defined. In order to ensure that 
the MAPsec SA are present when needed, all valid MAPsec SA should be distributed to all MAP-NEs as soon as 
they are available. 

Procedures for revocation of MAPsec SAs must be defined 
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